Juniper to Acquire Funk

Expanded NAC enforcement across product line on tap.

Just weeks after announcing its first dedicated product for network access control, Juniper Networks Inc. last week said it will buy Funk Software Inc. to boost its network access security lineup.
Juniper, of Sunnyvale, Calif., will pay $122 million for Funk, of Cambridge, Mass., in an all-cash transaction that still must be approved by the companies shareholders.

Juniper plans to use the Funk technology to extend enforcement of NAC from its NetScreen firewalls to Layer 2 switches.

The move will bring Juniper into more direct competition with its chief rival in the NAC space, Cisco Systems Inc. But some experts worry about how Juniper will integrate Funk into its product line, as well as Junipers plans for Funks other products, such as the Steel-Belted Radius server.
Funks technology will help Juniper provide a comprehensive network enforcement architecture based on open standards, such as the Trustworthy Computing Groups TNC (Trusted Network Connect) standard, said Hitesh Sheth, vice president of enterprise products and solutions at Juniper, in a conference call to discuss the deal.
Most of Funks 140 employees will remain at the companys Cambridge headquarters, and CEO Paul Funk will be named senior executive of Junipers Security Products Group, said Bob Dykes, Junipers chief financial officer and executive vice president of business operations.

Funk made its name providing access control technology such as RADIUS, which lets organizations validate the credentials of users trying to access a network. Funk was an early supporter and adopter of the TNC open-source NAC technology.
In May, Funk announced new versions of the Steel-Belted Radius server and 802.1x Odyssey client that support TNC standards for client integrity checks and user quarantining.
Funks ability to interoperate with TNC-compliant technology from third-party vendors, such as Check Point Software Technologies Ltd. and McAfee Inc., was attractive to Juniper, which wants to build a unified architecture for access control that supports "best of class" products from third parties, rather than requiring customers to change their infrastructure just to acquire NAC features, Sheth said. "We want an enforcement strategy that secures the infrastructure customers already have with standards-based applications," he said.
Juniper will integrate Funks endpoint control technology with its Enterprise Infranet Controller. That product, which Juniper announced last month, uses a hardware appliance and desktop agent to coordinate policy enforcement across enterprise networks through the companys NetScreen firewalls, Sheth said. Using switches to enforce security policy allows enterprises to stop infected hosts before they get access to a corporate LAN, by blocking communications ports or transferring machines to quarantine areas.
In contrast, NetScreen firewalls can block access only at the boundaries between network zones, such as subnets, said Burton Group analyst Eric Maiwald in Union Bridge, Md.
Last month, Cisco unveiled an update to its Network Admission Control program that extends NAC features from the companys routers to its Catalyst switches and enterprise wireless gear, including the Catalyst 6500, 4500 and 4900 Series platforms and Aironet access points.
Cisco has promised to submit its NAC technology for approval as an open standard. However, the company has been criticized for excluding other network equipment makers from the NAC program and forcing customers to standardize on Cisco hardware to take advantage of NAC features.
Juniper plans to offer similar kinds of protection as Ciscos NAC, but the technology will be based on open standards. In addition, the company will work with vendors such as Microsoft Corp. to make sure that its products integrate with NAP (Network Access Protection) and other architectures, Sheth said.
Funks Steel-Belted Radius server will also fit well into Junipers Enterprise Infranet Controller architecture and could become a standard part of that solution for managing interfaces to user stores such as LDAP, Active Directory and RADIUS, Maiwald said.